b'      DEPARTMENT OF HEALTH & HUMAN SERVICES                               Office of Inspector General\n\n\n                                                                           Washington, D.C. 20201\n\n\n\n\nSeptember 22, 2011\n\nTO:            Donald M. Berwick, M.D.\n               Administrator\n               Centers for Medicare & Medicaid Services\n\n\nFROM:          /Daniel R. Levinson/\n               Inspector General\n\n\nSUBJECT:       Review of Medicare Contractor Information Security Program Evaluations for\n               Fiscal Year 2009 (A-18-10-30300)\n\n\nThe attached final report provides the results of our Medicare contractor information security\nprogram evaluations for fiscal year 2009.\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added\ninformation security requirements for Medicare administrative contractors, fiscal intermediaries,\nand carriers to section 1874A of the Social Security Act (the Act) (42 U.S.C. \xc2\xa7 1395kk:-l).\nPursuant to section 1874A of the Act, each Medicare contractor must have its information\nsecurity program evaluated annually by an independent entity. Section 1874A of the Act further\nrequires the Inspector General, Department of Health and Human Services, to submit to\nCongress annual reports on the results of these evaluations, to include assessments of their scope\nand sufficiency.\n\nSection 8L of the Inspector General Act, 5 U.S.C. App., requires that the Office of Inspector\nGeneral (OIG) post its publicly available reports on the OIG Web site. Accordingly, this report\nwill be posted at http://oig.hhs.gov.\n\nIf you have any questions or comments about this report, please do not hesitate to call me, or\nyour staff may contact Lori S. Pilcher, Assistant Inspector General for Grants, Internal Activities,\nand Information Technology Audits, at (202) 619-1175 or through email at\nLori.Pilcher@oig.hhs.gov. We look forward to receiving your final management decision within\n6 months. Please refer to report number A-18-10-30300 in all correspondence.\n\n\nAttachment\n\x0c Department of Health and Human Services\n             OFFICE OF\n        INSPECTOR GENERAL\n\n\n\n\nREVIEW OF MEDICARE CONTRACTOR\n     INFORMATION SECURITY\n   PROGRAM EVALUATIONS FOR\n       FISCAL YEAR 2009\n\n\n\n\n                        Daniel R. Levinson\n                         Inspector General\n\n                         September 2011\n                          A-18-10-30300\n\x0c                        Office of Inspector General\n                                          http://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at http://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c                                  EXECUTIVE SUMMARY\n\nBACKGROUND\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added\ninformation security requirements for Medicare administrative contractors (MAC), fiscal\nintermediaries, and carriers to the Social Security Act (the Act). These contractors process and\npay Medicare fee-for-service claims. Each Medicare contractor must have its information\nsecurity program evaluated annually by an independent entity, and these evaluations must\naddress the eight major requirements enumerated in the Federal Information Security\nManagement Act of 2002 (FISMA). To comply with this provision, the Centers for Medicare\n& Medicaid Services (CMS) contracted with PricewaterhouseCoopers (PwC) to evaluate\ninformation security programs at the MACs, fiscal intermediaries, and carriers using a set of\nagreed-upon procedures.\n\nThe Act also requires evaluations of the information security controls for a subset of systems but\ndoes not specify the criteria for these evaluations. To satisfy this requirement, CMS developed\nan information security assessment methodology to test segments of the claims processing\nsystems at Medicare data centers, which operate the computer systems that process and pay\nMedicare fee-for-service claims. CMS contracted with iFed, LLC (iFed), to perform technical\nassessments at Medicare data centers using the assessment methodology.\n\nThe Inspector General, Department of Health and Human Services, must submit to Congress\nannual reports on the results of these evaluations, to include assessments of their scope and\nsufficiency. This report fulfills that responsibility for fiscal year (FY) 2009.\n\nOBJECTIVES\n\nOur objectives were to (1) assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and data center technical assessments and (2) report the results of\nthose evaluations and assessments.\n\nSUMMARY OF RESULTS\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs were adequate in scope and\nwere sufficient. iFed\xe2\x80\x99s assessments for most of the data centers tested were adequate in scope\nand were sufficient. PwC reported a total of 94 gaps at 21 Medicare contractors. iFed reported a\ntotal of 67 gaps at 7 data centers.\n\nAssessment of Scope and Sufficiency\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs adequately encompassed in\nscope and sufficiency the eight FISMA requirements referenced in the Act.\n\niFed\xe2\x80\x99s evaluations of the information security controls at most of the Medicare data centers\ntested were adequate in scope and were sufficient. However, for two data centers, we could not\n\n                                                 i\n\x0cdetermine whether the scope was adequate and the evaluations were sufficient because of several\nissues with its working papers, such as insufficient evidence that all testing procedures had been\ncompleted.\n\nResults of Evaluations and Assessments\n\nThe results of the contractor information security program evaluations and data center technical\nassessments are presented in terms of gaps, which are defined as the differences between FISMA\nor CMS core security requirements and the contractors\xe2\x80\x99 implementation of them.\n\nResults of Contractor Information Security Program Evaluations\n\nIn the 21 PwC evaluation reports for FY 2009, which covered all MACs, fiscal intermediaries,\nand carriers, PwC identified a total of 94 gaps. The number of gaps per contractor ranged from 0\nto 15 and averaged 4. The most gaps occurred in the following FISMA control areas: testing of\ninformation security controls (22 gaps at 11 contractors), security program and system security\nplans (17 gaps at 9 contractors), security awareness training (16 gaps at 5 contractors), and\ncontinuity of operations planning (13 gaps at 5 contractors).\n\nThe number of gaps reported in the PwC FY 2009 evaluation reports decreased by 42 percent\nwhen compared with the results for FY 2008. While the number of contractors with no gaps\nincreased by 6 (150 percent), the number of contractors with 10 or more gaps stayed the same\nat 5.\n\nResults of Data Center Technical Assessments\n\nThe 7 Medicare data center technical assessment reports prepared by iFed identified a total of\n67 gaps. The number of gaps reported per data center ranged from 0 to 44. Most of the security\ngaps occurred in the following security control categories: configuration management (28 gaps\nat 2 data centers), access control (16 gaps at 2 data centers), media protection (7 gaps at 2 data\ncenters), and system and services acquisition (6 gaps at 3 data centers).\n\nThe total number of gaps identified in FY 2009 (67) was 19 gaps higher than the number\nidentified in FY 2008 (48). However, this was mainly because 1 contractor had 44 gaps\nidentified by a vulnerability scan. CMS uses a rotational approach in performing its technical\nassessments of data centers. Some categories are not tested every year. We did not perform a\ndetailed comparison of the number of gaps identified within the categories tested for the 2 FYs\nbecause the same categories were not tested by iFed at all data centers assessed in FY 2009.\n\nOf the 67 gaps iFed identified at the 7 data centers, 18 gaps were resolved and closed during or\nafter iFed\xe2\x80\x99s onsite visits. Hence, a total of 49 gaps at data centers required corrective action in\nFY 2009.\n\n\n\n\n                                                  ii\n\x0cRECOMMENDATION\n\nWe recommend that CMS review all contractor documentation related to future data center\ntechnical assessments and ensure that the work performed complies with CMS contractual\nrequirements. At a minimum, this should include a review of test plans to ensure that the\ncontractor has completed all required testing procedures and a review of contractor working\npapers to verify that reported gaps have been adequately supported.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nIn written comments on our draft report, CMS concurred with our recommendation. CMS also\nstated that it would take the appropriate actions to address the identified issues. We have\nincluded CMS\xe2\x80\x99s comments in their entirety as Appendix G.\n\n\n\n\n                                               iii\n\x0c                                                  TABLE OF CONTENTS\n\n\n                                                                                                                             Page\n\nINTRODUCTION............................................................................................................. 1\n\n          BACKGROUND .....................................................................................................1\n              The Medicare Program ................................................................................. 1\n              Medicare Prescription Drug, Improvement, and Modernization\n               Act of 2003 ................................................................................................ 1\n              Centers for Medicare & Medicaid Services Evaluation Process\n               for Fiscal Year 2009................................................................................... 2\n\n          OBJECTIVES, SCOPE, AND METHODOLOGY .................................................3\n              Objectives ..................................................................................................... 3\n              Scope ............................................................................................................. 3\n              Methodology ................................................................................................. 3\n\nRESULTS OF REVIEW .................................................................................................. 4\n\n          ASSESSMENT OF SCOPE AND SUFFICIENCY ................................................4\n\n          RESULTS OF MEDICARE CONTRACTOR INFORMATION SECURITY\n          PROGRAM EVALUATIONS.................................................................................5\n              Testing of Information Security Controls ..................................................... 6\n              Security Program and System Security Plans ............................................... 7\n              Security Awareness Training ........................................................................ 8\n              Continuity of Operations Planning ............................................................... 8\n\n          RESULTS OF DATA CENTER TECHNICAL ASSESSMENTS .........................9\n              Configuration Management ........................................................................ 11\n              Access Control ............................................................................................ 12\n              Media Protection ......................................................................................... 12\n              System and Services Acquisition ................................................................ 12\n\n          CONCLUSION ......................................................................................................13\n\n          RECOMMENDATION .........................................................................................13\n\n          CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS ..........13\n\nAPPENDIXES\n\n        A: ASSESSMENT OF SCOPE AND SUFFICIENCY FOR THE iFed DATA CENTER\n           ASSESSMENTS\n\n\n                                                                     iv\n\x0cB: LIST OF GAPS BY FEDERAL INFORMATION SECURITY MANAGEMENT ACT\n   OF 2002 CONTROL AREA AND MEDICARE CONTRACTOR\n\nC: PERCENTAGE CHANGE IN GAPS PER MEDICARE CONTRACTOR\n\nD: MEDICARE CONTRACTOR CHANGE IN TOTAL GAPS BY FEDERAL\n   INFORMATION SECURITY MANAGEMENT ACT OF 2002 CONTROL AREA\n\nE: RESULTS OF MEDICARE CONTRACTOR EVALUATIONS FOR FEDERAL\n   INFORMATION SECURITY MANAGEMENT ACT OF 2002 CONTROL AREAS\n   WITH THE GREATEST NUMBER OF GAPS\n\nF: LIST OF GAPS BY NATIONAL INSTITUTE OF STANDARDS AND\n   TECHNOLOGY SECURITY CONTROL AREA AND DATA CENTER\n\nG: CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\n\n\n\n                             v\n\x0c                                            INTRODUCTION\n\nBACKGROUND\n\nThe Medicare Program\n\nThe Centers for Medicare & Medicaid Services (CMS) administers the Medicare program.\nMedicare is a health insurance program for people age 65 or older, people under age 65 with\ncertain disabilities, and people of all ages with end-stage renal disease. In fiscal year (FY) 2009,\nMedicare paid more than $430 billion on behalf of more than 46 million Medicare beneficiaries.\nCMS contracts with Medicare Administrative Contractors (MAC), fiscal intermediaries, and\ncarriers to administer Medicare benefits paid on a fee-for-service basis. CMS uses enterprise\ndata centers to process all Medicare fee-for-service claims.\n\nIn FY 2009, 11 distinct entities served as fiscal intermediaries, carriers, and Part A/B MACs.\nTwo external entities operated enterprise data centers to process all Medicare fee-for-service\nclaims. Thus, 13 distinct entities processed and paid Medicare fee-for-service claims.\n\nMedicare Prescription Drug, Improvement, and Modernization Act of 2003\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) added\ninformation security requirements for MACs, fiscal intermediaries, and carriers to section 1874A\nof the Social Security Act (the Act). 1 (See 42 U.S.C. \xc2\xa7 1395kk-1.) Pursuant to section\n1874A(e)(2)(A) of the Act, each MAC, fiscal intermediary, and carrier must have its information\nsecurity program evaluated annually by an independent entity. This section requires that these\nevaluations address the eight major requirements enumerated in the Federal Information Security\nManagement Act of 2002 (FISMA). (See 44 U.S.C. \xc2\xa7 3544(b).) These requirements, referred to\nas \xe2\x80\x9cFISMA control areas\xe2\x80\x9d in this report, are:\n\n        1. periodic risk assessments,\n\n        2. policies and procedures to reduce risk,\n\n        3. security program and system security plans,\n\n        4. security awareness training,\n\n        5. testing of information security controls,\n\n        6. remedial actions,\n\n\n\n\n1\n The MMA contracting reform provisions added to section 1874A of the Act replace existing fiscal intermediaries\nand carriers with MACs, which are competitively selected. Until all MACs are in place, the requirements of\nsection 1874A also apply to fiscal intermediaries and carriers.\n\n                                                       1\n\x0c       7. incident response, and\n\n       8. continuity of operations planning.\n\nSection 1874A(e)(2)(A)(ii) of the Act requires that the effectiveness of information security\ncontrols be tested for an appropriate subset of Medicare contractors\xe2\x80\x99 information systems.\nHowever, this section does not specify the criteria for evaluating these security controls. CMS\ndeveloped an information security assessment methodology to comply with this provision.\n\nAdditionally, section 1874A(e)(2)(C)(ii) of the Act requires the Inspector General of the\nDepartment of Health and Human Services to submit to Congress annual reports on the results of\nsuch evaluations, including assessments of their scope and sufficiency. This report fulfills that\nresponsibility for FY 2009.\n\nCenters for Medicare & Medicaid Services Evaluation Process for Fiscal Year 2009\n\nCMS developed agreed-upon procedures (AUP) for the program evaluation based on the\nrequirements of section 1874A(e)(1) of the Act, FISMA, information security policy and\nguidance from the Office of Management and Budget and the National Institute of Standards and\nTechnology (NIST), and the Government Accountability Office\xe2\x80\x99s (GAO) Federal Information\nSystems Controls Audit Manual (FISCAM). The independent auditors, PricewaterhouseCoopers\n(PwC), under contract with CMS, used the AUPs to evaluate the information security programs\nat 11 entities. Many of the entities had multiple contracts with CMS to fulfill their\nresponsibilities as Medicare fiscal intermediaries, carriers, A/B MACs, and Durable Medical\nEquipment MACs. Testing was performed for each of the contracted services. As a result, PwC\nperformed evaluations and issued separate reports for 21 MACs, fiscal intermediaries, and\ncarriers. The AUPs are the same as those used in FY 2008.\n\nTo comply with the section 1874A(e)(2)(A)(ii) requirement to test the effectiveness of\ninformation security controls for an appropriate subset of contractors\xe2\x80\x99 information systems, CMS\ncontracted with iFed, LLC (iFed), to plan, develop, and implement a comprehensive program to\nperform testing of information security controls at seven Medicare data centers (five fiscal\nintermediaries\xe2\x80\x99 data centers and two enterprise data centers). iFed performed the assessments\nand issued separate reports for each of the seven Medicare data centers. Beginning in FY 2010,\nCMS contracted with PwC to perform the testing of information security controls at the\nMedicare data centers at the same time PwC evaluates the information security programs at the\nMACs, fiscal intermediaries, and carriers.\n\nTable 1 summarizes the change in the number of Medicare contractors and data centers tested.\nIn FY 2008, there were 26 Medicare contractors and 8 Medicare data centers tested. Changes\nduring FY 2009 resulted in the testing of 21 Medicare contractors and 7 Medicare data centers.\n\n\n\n\n                                                2\n\x0c    Table 1: Change in the Number of Medicare Contractors and Data Centers Tested\n                                                                   Medicare    Medicare\n                                                                  Contractors Data Centers\nEnding Balance, FY 2008                                                26           8\nLess: Entities that were no longer in the Medicare program by the       7           1\nend of FY 2009\nAdd: MACs                                                               2\nEnding Balance, FY 2009                                                21           7\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\nOur objectives were to (1) assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and data center technical assessments and (2) report the results of\nthose evaluations and assessments.\n\nScope\n\nWe evaluated the FY 2009 results of the independent evaluations and technical assessments of\nMedicare contractors\xe2\x80\x99 information security programs. Our review did not include an evaluation\nof internal controls. We performed our reviews of PwC and iFed working papers at CMS\nheadquarters in Baltimore, Maryland, and at Office of Inspector General regional offices.\n\nMethodology\n\nTo accomplish our objectives, we performed the following steps:\n\n        \xe2\x80\xa2    To assess the scope of the evaluations of contractor information security programs,\n             we determined whether the AUPs included the eight FISMA control requirements\n             enumerated in section 1874A(e)(1) of the Act.\n\n        \xe2\x80\xa2    To assess the sufficiency of the evaluations of contractor information security\n             programs, we reviewed PwC working papers supporting the evaluation reports to\n             determine whether PwC completed the AUPs listed in the reports. We also\n             determined whether PwC conducted the evaluations in accordance with attestation\n             engagement standards established by the American Institute of Certified Public\n             Accountants and in accordance with Government Auditing Standards. In addition, we\n             determined whether the evaluation reports encompassed the eight FISMA control\n             areas.\n\n        \xe2\x80\xa2    To assess the scope of the data center technical assessments, we reviewed the contract\n             and statement of work between CMS and iFed and verified that iFed performed the\n             work that CMS had specified.\n\n\n\n                                                 3\n\x0c        \xe2\x80\xa2    To assess the sufficiency of the data center technical assessments, we reviewed\n             working papers to verify that iFed completed all test procedures, reported all\n             medium- and high-risk gaps, and adequately supported all reported results with\n             sufficient and appropriate evidence. 2\n\n        \xe2\x80\xa2    To report on the results of the iFed evaluations and technical assessments, we\n             aggregated the results contained in the individual contractor evaluation reports and\n             data center technical assessment reports. We used the business risks listed in the\n             individual technical assessment reports to aggregate the results. For the PwC\n             evaluations, we used the number of gaps listed in the individual contractor evaluation\n             reports to aggregate the results. In some instances, several gaps were noted under\n             multiple FISMA control subcategories. We counted duplicate gaps listed in a FISMA\n             control area only once.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards, except that we did not obtain comments from iFed or PwC. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We believe that\nthe evidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\n                                          RESULTS OF REVIEW\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs were adequate in scope and\nwere sufficient. The majority of data center technical assessments performed by iFed were\nadequate in scope and were sufficient. PwC reported a total of 94 gaps at 21 Medicare\ncontractors. iFed reported a total of 67 gaps at 7 data centers. Gaps are defined as the difference\nbetween FISMA or CMS core security requirements and the contractors\xe2\x80\x99 implementation of\nthem.\n\nASSESSMENT OF SCOPE AND SUFFICIENCY\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs adequately encompassed in\nscope and sufficiency the eight FISMA requirements referenced in section 1874A(e)(1) of the\nAct.\n\nThe scope of the work and sufficiency of documentation for all reported gaps were adequate for\nthe majority of the data center technical assessments. CMS\xe2\x80\x99s contract with iFed provided for the\nplanning, development, and implementation of a comprehensive program to perform testing of\ninformation security controls at Medicare data centers.\n\n\n\n2\n  We present the results of the Medicare contractor information security program evaluations in terms of gaps,\nwhich are defined as the differences between FISMA or CMS core security requirements and the contractors\xe2\x80\x99\nimplementation of those requirements.\n\n\n                                                         4\n\x0cHowever, the test plan documentation supplied by iFed for two of the seven data centers\n(29 percent) did not contain sufficient evidence that all of the testing procedures were performed.\nAdditionally, for these two data centers, we were unable to trace all gaps presented in iFed\xe2\x80\x99s\nreports to supporting documentation in the working papers. Lastly, for one of the seven data\ncenters (14 percent), we were not able to determine whether iFed included all medium- and\nhigh-risk gaps in the report because of inadequate working paper references in the test scripts.\nSee Appendix A for our analysis of the iFed data center assessments.\n\nRESULTS OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM\nEVALUATIONS\n\nAs shown in Table 2, the 21 evaluation reports identified a total of 94 gaps. The average number\nof gaps per contractor was four. The number of gaps per contractor ranged from 0 to 15 for\nFY 2009. See Appendix B for a list of gaps per control area by contractor.\n\n                        Table 2: Range of Medicare Contractor Gaps\n                                                Number of Contractors With\n                Number of        Total                     2\xe2\x80\x935      6\xe2\x80\x939    10+\n        FY      Contractors      Gaps     0 Gaps 1 Gap    Gaps     Gaps    Gaps\n       2008         26            161        4     3        8        6      5\n       2009         21             94       10     0        3        3      5\n\nThe number of gaps reported in the PwC FY 2009 evaluation reports decreased by 42 percent\nand the average number of gaps per contractor decreased by 33 percent when compared with the\nresults for FY 2008. While the number of contractors with no gaps increased by 6 (150 percent),\nthe number of contractors with 10 or more gaps remained the same at 5. Of the 19 contractors\nthat were in the program in FY 2008 and FY 2009, 12 contractors had fewer gaps in FY 2009,\n3 had more gaps, and 4 had the same number of gaps. See Appendix C for the FYs 2008\xe2\x80\x932009\npercentage change in gaps per Medicare contractor.\n\nTable 3 summarizes the gaps found in each FISMA control area in FYs 2008 and 2009. Three of\nthe eight FISMA control areas had an increase in gaps for FY 2009. (Appendix D summarizes\nthe changes in a graph.)\n\n\n\n\n                                                 5\n\x0c      Table 3: Gaps by Federal Information Security Management Act Control Area\n                                                                            No. of Contractors\n                                     Impact Levels        No. of Gaps       With One or More\n                                       of FISMA            Identified             Gap(s)\n              FISMA                  Control Area        FY         FY        FY         FY\n          Control Area               Subcategories      2008       2009      2008       2009\nPeriodic risk assessments            High/Medium          2           3          2         3\nPolicies and procedures to reduce\n                                          High           23         11          14           7\nrisk\nSecurity program and system\n                                     High/Medium         31         17          16           9\nsecurity plans\nSecurity awareness training             Medium           14         16            9          5\nTesting of information security\n                                          High           50         22          20         11\ncontrols\nRemedial actions                         High           15           8           9           8\nIncident response                        High            1           4           1           4\nContinuity of operations planning    High/Medium        25          13          11           5\n  Total                                                161          94\n\nThe Medicare contractor information security program evaluations covered several subcategories\nwithin each FISMA control area. The \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Table 3 refers to the possible\nlevel of adverse impact that could result from successful exploitation of gaps in any of the\nsubcategories depending on the organization\xe2\x80\x99s mission and criticality and the sensitivity of the\nsystems and data involved. CMS and PwC developed ratings of high, medium, or low impact for\nthe subcategories. The actual ratings assigned to the subcategories were all high or medium\nimpact and were PwC\xe2\x80\x99s assessments. It is important to note that the impact levels were assigned\nto subcategories of the FISMA control areas, not to individual gaps identified within the control\nareas or subcategories. Individual gaps were assigned an overall risk level on a subjective basis\nby PwC after taking into consideration the impact and likelihood of occurrence. However, as\nstated in NIST Special Publication (SP) 800-115, Technical Guide to Information Security\nTesting and Assessment, section 4.3, it is difficult to identify the risk level of individual\nvulnerabilities because they rarely exist in isolation.\n\nThe following sections discuss the four FISMA control areas containing the most gaps. See\nAppendix E for descriptions of each subcategory tested for the four control areas.\n\nTesting of Information Security Controls\n\nAccording to NIST SP 800-53, Recommended Security Controls for Federal Information\nSystems and Organizations, Control CA-2, the effectiveness of information security policies,\nprocedures, practices, and controls should be tested and evaluated at least annually.\nNIST SP 800-115, section 2.3, notes that security testing enables organizations to measure levels\nof compliance in areas such as patch management, password policy, and configuration\nmanagement. According to GAO\xe2\x80\x99s FISCAM, section 3.3, changes to an application should be\ntested and approved before being put into production.\n\n                                                 6\n\x0cTen of the twenty-one Medicare contractors had no identified gaps in the testing of information\nsecurity controls, while the remaining 11 had 1 to 3 gaps each. In total, 22 gaps were identified\nin this area, with all 22 gaps assigned to high-impact subcategories.\n\nFollowing are examples of gaps in testing of information security controls:\n\n   \xe2\x80\xa2   The contractor did not consistently track and monitor weaknesses identified during a\n       penetration test.\n\n   \xe2\x80\xa2   The contractor did not implement a configuration management process to monitor\n       security configuration settings on a quarterly basis for the mainframe platform.\n\n   \xe2\x80\xa2   The contractor did not have evidence that it followed its documented change management\n       process for all system software changes.\n\nWithout a comprehensive program for periodically testing and monitoring of information\nsecurity controls, management has no assurance that appropriate safeguards are in place to\nadequately mitigate identified risks.\n\nSecurity Program and System Security Plans\n\nNIST SP 800-100, Information Security Handbook: A Guide for Managers, section 2.2.5, states\nthat an agency should ensure its information security policy is sufficiently current to\naccommodate the information security environment and the agency mission and operational\nrequirements. Federal Information Processing Standards (FIPS) 200, Minimum Security\nRequirements for Federal Information and Information Systems, and NIST SP 800-53, Control\nPS-3, require organizations to screen employees before granting access to information and\ninformation systems. The Executive Summary of NIST SP 800-18, Guide for Developing\nSecurity Plans for Federal Information Systems, states that system security plans should provide\nan overview of a system\xe2\x80\x99s security requirements and describe the controls in place or planned for\nmeeting those requirements.\n\nTwelve of the twenty-one Medicare contractors had no identified gaps in security program and\nsystem security plans, while the remaining 9 had 1 to 3 gaps each. In total, 17 gaps were\nidentified in this area. Eleven gaps were assigned to high-impact subcategories.\n\nFollowing are examples of gaps in security program and system security plans:\n\n   \xe2\x80\xa2   The contractor did not complete background investigations for all selected employees\n       before their hire dates.\n\n   \xe2\x80\xa2   The contractor did not review all policies and procedures annually.\n\n   \xe2\x80\xa2   The contractor\xe2\x80\x99s system security plan did not accurately list each platform or device that\n       supports Medicare claims processing.\n\n\n                                                 7\n\x0cIf information security program requirements are not implemented and enforced, management\nhas no assurance that established system security controls will be effective in protecting valuable\nassets, such as information, hardware, software, systems, and related technology assets that\nsupport the organization\xe2\x80\x99s critical missions.\n\nSecurity Awareness Training\n\nThe Computer Security Act of 1987 (P.L. No. 100-235) requires periodic training in computer\nsecurity awareness and accepted computer practices for all employees who manage, use, or\noperate Federal computer systems. Additionally, Federal regulations (5 C.F.R. \xc2\xa7 930.301(a))\nrequire that role-specific training be provided based on each user\xe2\x80\x99s security responsibilities and\nrequire agencies to provide training for employees with significant information security\nresponsibilities. The CMS Business Partners Systems Security Manual requires Medicare\ncontractors to document and monitor information security training activities.\n\nSixteen of the twenty-one Medicare contractors had no identified gaps in security awareness\ntraining, while the remaining 5 had 3 to 4 gaps each. In total, 16 gaps were identified in this\narea, with no gaps assigned to a high-impact subcategory. Following are examples of gaps in\nsecurity awareness training:\n\n   \xe2\x80\xa2   The contractor did not formally track and monitor job-specific security training to ensure\n       that employees received the minimal requirements stated in the policy.\n\n   \xe2\x80\xa2   Employees did not complete security awareness refresher training.\n\nEmployees who are unaware of their security responsibilities or have not received adequate\ntraining may be at increased risk of causing or exacerbating a computer security incident. If\nsecurity personnel are not provided specific job-related training, management has no assurance\nthat these employees can effectively perform their job responsibilities. Inadequately trained\nemployees could cause the loss, destruction, or misuse of sensitive information and information\ntechnology (IT) assets.\n\nContinuity of Operations Planning\n\nAccording to NIST SP 800-34, Contingency Planning Guide for Federal Information Systems,\nsection 2.2, contingency planning represents a broad scope of activities designed to sustain and\nrecover critical information technology services following an emergency. Contingency planning\nfor information systems is part of an overall organizational program for achieving continuity of\noperations for business operations.\n\nSixteen of the twenty-one Medicare contractors had no identified gaps in continuity of operations\nplanning, while the remaining 5 had 1 to 4 gaps each. In total, 13 gaps were identified in this\narea, with 9 gaps assigned to a high-impact subcategory. Following are examples of gaps in\ncontinuity of operations:\n\n\n\n\n                                                 8\n\x0c   \xe2\x80\xa2   The contractor did not arrange for an alternate data processing facility.\n\n   \xe2\x80\xa2   The contractor did not perform disaster recovery testing.\n\n   \xe2\x80\xa2   The contractor did not update documented results for continuity plan testing in the\n       continuity plan in a timely manner.\n\nIf contingency planning activities are inadequate, even relatively minor interruptions of service\ncan result in lost or incorrectly processed data, which can cause financial losses, expensive\nrecovery efforts, and inaccurate or incomplete financial or management information.\n\nRESULTS OF DATA CENTER TECHNICAL ASSESSMENTS\n\nWe present the results of the data center technical assessments in terms of gaps. As shown in\nTable 4, the 7 Medicare data center technical assessment reports identified a total of 67 gaps.\nThe number of gaps per data center ranged from 0 to 44. The number of data centers with no\ngaps increased from zero to three when compared with the results for FY 2008.\n\n                             Table 4: Range of Data Center Gaps\n                                           Number of Data Centers With\n                     Total                1\xe2\x80\x935     6\xe2\x80\x9310    11\xe2\x80\x9320    21\xe2\x80\x9340           41-50\n             FY      Gaps      0 Gaps     Gaps   Gaps      Gaps    Gaps            Gaps\n            2008      48          0         4       2       2        0               0\n            2009      67          3         1       1       1        0               1\n\nFor FY 2009, CMS contracted with iFed to evaluate NIST security controls at seven data centers.\nAt five data centers, iFed\xe2\x80\x99s testing was limited to a policy and procedure review only, which\nincluded testing the following six NIST security control areas:\n\n   \xe2\x80\xa2   Awareness and training\n\n   \xe2\x80\xa2   Certification, accreditation, and security assessments\n\n   \xe2\x80\xa2   Incident response\n\n   \xe2\x80\xa2   Maintenance\n\n   \xe2\x80\xa2   Media protection\n\n   \xe2\x80\xa2   System and services acquisition\n\nAt one enterprise data center, iFed reviewed these six control areas, and it also performed\nvulnerability scanning and a limited-scope assessment of the mainframe, which contributed to\ntesting the following NIST security control categories:\n\n\n                                                 9\n\x0c   \xe2\x80\xa2   Access control\n\n   \xe2\x80\xa2   Configuration management\n\nAt one enterprise data center, iFed\xe2\x80\x99s testing included the same six control areas and the\nvulnerability scanning and limited-scope mainframe assessment plus the following six NIST\nsecurity controls:\n\n   \xe2\x80\xa2   Access control\n\n   \xe2\x80\xa2   Audit and accountability\n\n   \xe2\x80\xa2   Configuration management\n\n   \xe2\x80\xa2   Contingency planning\n\n   \xe2\x80\xa2   Planning\n\n   \xe2\x80\xa2   System and information integrity\n\niFed assigned each of the gaps to one of the security control areas. In a manner similar to that of\nPwC, iFed categorized the risks associated with the individual gaps as high, medium, or low\nbased on the potential impact and likelihood of exploitation. Of the 67 gaps iFed identified\nacross all 7 data centers, 5 gaps were high risk, 30 gaps were medium risk, and 32 gaps were low\nrisk. Eighteen gaps were resolved and closed during or after iFed\xe2\x80\x99s onsite visits to the data\ncenters, including 2 high-risk gaps, 10 medium-risk gaps, and 6 low-risk gaps. Hence, a total of\n49 gaps at data centers required corrective action in FY 2009.\n\nThe total number of gaps identified in FY 2009 (67) was higher than the number identified in\nFY 2008 (48), an increase of 19 gaps. This was mainly because 1 enterprise data center had 44\ngaps identified by the vulnerability scan. We did not perform a detailed comparison of the\nnumber of gaps identified within the security control categories tested for the 2 FYs because the\nsame categories were not tested by iFed at all data centers in FY 2009. CMS uses a rotational\napproach in performing its technical assessments of data centers. Some categories are not tested\nevery year.\n\nTable 5 presents the aggregate results reported for the seven data centers. Appendix F shows the\nnumber of reported gaps at each data center by security control area.\n\n\n\n\n                                                10\n\x0c                            Table 5: Data Center Reported Gaps by\n            National Institute of Standards and Technology Security Control Area\n                                               No. of    No. of   No. of\n                                   Total No.   Data      High- Medium-       No. of\n           Security Control         of Gaps   Centers    Risk      Risk    Low-Risk\n                  Area             Identified w/ Gaps    Gaps      Gaps      Gaps\n        Configuration\n                                      28         2        4         11        13\n        management\n        Access control                  16            2         1              8        7\n        Media protection                 7            2         0              4        3\n        System and services\n                                         6            3         0              3        3\n        acquisition\n        Certification,\n        accreditation, and security      2            1         0              1        1\n        assessment\n        Contingency planning             2            1         0             2         0\n        Incident response                2            1         0             0         2\n        Maintenance                      2            2         0             0         2\n        Audit and accountability         1            1         0             1         0\n        Awareness and training           1            1         0              0        1\n         Total                          67                      5             30       32\n\nNote: iFed did not report any gaps in the NIST security control areas of planning and systems\nand information integrity for the one data center in which those areas were tested.\n\nThe following sections discuss the four security control areas with the highest number of gaps.\n\nConfiguration Management\n\nGAO\xe2\x80\x99s FISCAM, section 3.3, indicates that without proper configuration management, security\nfeatures could accidentally or intentionally be turned off. In addition, processing irregularities or\nmalicious code could be introduced that allows access to sensitive data, or a virus could be\nintroduced that disrupts processing. NIST SP 800-70, National Checklist Program for IT\nProducts\xe2\x80\x94Guidelines for Checklist Users and Developers, identifies the use of security\nconfiguration checklists as a way to improve the consistency of system security and help protect\nagainst common and dangerous local and remote threats.\n\nWe noted configuration management gaps at the two enterprise data centers that were tested for\nconfiguration management. Following are examples of gaps in this area:\n\n    \xe2\x80\xa2    A server was missing a critical update that fixes security issues.\n\n\n\n                                                 11\n\x0c    \xe2\x80\xa2   A Web server was running unnecessary services that increased the risk of unauthorized\n        access.\n\n    \xe2\x80\xa2   A server was vulnerable to a man-in-the-middle attack, in which an unauthorized party\n        intercepts traffic between an authorized computer and a wireless access point and uses\n        that information to do something malicious, such as hijacking future traffic or obtaining\n        sensitive information.\n\nAccess Control\n\nAccording to GAO\xe2\x80\x99s FISCAM, section 3.2, inadequate access controls diminish the reliability of\ncomputerized data and increase the risk of destruction or inappropriate disclosure of data. Gaps\nin access control create vulnerabilities in the confidentiality, integrity, and availability of\nMedicare data and systems. Associated gaps in the configuration of systems software that\ncontrol access to systems can make computers vulnerable to unauthorized access.\n\nWe noted access control gaps at the two enterprise data centers that were tested for access\ncontrol. Following are examples of gaps in this area:\n\n    \xe2\x80\xa2   An excessive number of users had the ability to make changes to sensitive system files.\n\n    \xe2\x80\xa2   Weak encryption codes were in use by a remote server.\n\n    \xe2\x80\xa2   A remote server had sensitive shared directories that unauthorized users could read.\n\nMedia Protection\n\nAccording to the NIST SP 800-53, Control MP-3, an organization should mark removable\ninformation system media and information system output indicating the distribution limitations,\nhandling caveats, and applicable security markings of the information. According to Control\nMP-6, an organization should sanitize information system media, both digital and nondigital,\nbefore disposal, release outside of the organization\xe2\x80\x99s control, or reuse.\n\nOf the seven data centers in which media protection was tested, two had control gaps in the area\nof media protection. Following are examples of gaps in this area:\n\n   \xe2\x80\xa2    Nondigital media were not subject to labeling requirements.\n\n   \xe2\x80\xa2    The contractor had not obtained a complete sanitization certificate from the disposal\n        contractor that documented the tapes that had been disposed of.\n\nSystem and Services Acquisition\n\nAccording to the NIST SP 800-53, Control SA-6, the organization should use software and\nassociated documentation in accordance with contract agreements and copyright laws and should\n\n\n                                                  12\n\x0cemploy tracking systems for software and associated documentation protected by quantity\nlicenses to control copying and distribution.\n\nOf the seven data centers in which system and services acquisition was tested, three had control\ngaps in the area of system and services acquisition. Following are examples of gaps in this area:\n\n   \xe2\x80\xa2   The contractor did not provide documentation showing that software, shareware, and\n       associated documentation were deployed and maintained in accordance with license\n       agreements and copyright laws.\n\n   \xe2\x80\xa2   A list containing systems with both authorized and unauthorized software did not exist,\n       and there was no tool to verify the inventory of installed software.\n\n   \xe2\x80\xa2   The system used to track software licenses was inaccurate when compared with the\n       number of licenses listed in the system security plan.\n\nCONCLUSION\n\nThe work performed by PwC to evaluate contractor information security programs adequately\nencompassed the eight FISMA requirements referenced in section 1874A of the Act. Gaps\nreported during the PwC program evaluations were supported by documented evidence.\n\nThe scope of the work and sufficiency of documentation for all reported gaps were sufficient for\nthe majority of the data center technical assessments performed by iFed. However, in some\ncases, the test plan documentation did not contain sufficient evidence that iFed performed all of\nthe testing procedures, nor were we able to trace all gaps presented in iFed\xe2\x80\x99s reports to\nsupporting documentation for some of the weaknesses identified in the reports. In one case, we\nwere not able to determine whether iFed included all medium- and high-risk gaps in the report\nbecause of inadequate working paper references in the test scripts.\n\nRECOMMENDATION\n\nWe recommend that CMS review all contractor documentation related to future data center\ntechnical assessments and ensure that the work performed complies with CMS contractual\nrequirements. At a minimum, this should include a review of test plans to ensure that the\ncontractor has completed all required testing procedures and a review of contractor working\npapers to verify that reported gaps have been adequately supported, identified, and included in\nthe technical assessment reports.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nIn written comments on our draft report, CMS concurred with our recommendation. CMS also\nstated that it would take the appropriate actions to address the identified issues. We have\nincluded CMS\xe2\x80\x99s comments in their entirety as Appendix G.\n\n\n\n\n                                               13\n\x0cAPPENDIXES\n\x0c            APPENDIX A: ASSESSMENT OF SCOPE AND SUFFICIENCY\n                 FOR THE iFed DATA CENTER ASSESSMENTS\n\n                      Office of Inspector General Criteria for Assessing\n                                    iFed Working Papers\n                   Sufficient Evidence           Sufficient\n                   That All Work Was       Documentation for All Reported All Medium-\n Data Center          Performed?              Reported Gaps?          and High-Risk Gaps?\n      1                    Yes                      Yes                       Yes\n      2                    Yes                      Yes                       Yes\n      3                    Yes                      Yes                       Yes\n      4                     No                       No                       No\n      5                    Yes                      Yes                       Yes\n      6                    Yes                      Yes                       Yes\n      7                     No                       No                       Yes\n\n\niFed, LLC = iFed\n\x0c                                APPENDIX B: LIST OF GAPS BY\n                   FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n                         CONTROL AREA AND MEDICARE CONTRACTOR\n\n                                             Control Areas (With Impact Levels)\n                                        Security\n                            Policies    Program\n                              and          and                  Testing of                         Continuity\n              Periodic     Procedures    System     Security   Information                             of\n                Risk       To Reduce    Security   Awareness     Security    Remedial   Incident   Operations\nMedicare     Assessments      Risk        Plans     Training     Controls     Actions   Response    Planning    Total\nContractor     (High)        (High)      (High)    (Medium)       (High)      (High)     (High)      (High)     Gaps\n    1             1             1           3          3             2           1          0          4        15\n    2             1             1           3          3             2           1          0          4        15\n    3             0             0           0          0             0           0          0          0         0\n    4             0             0           0          0             0           0          0          0         0\n    5             0             0           3          0             1           1          0          0         5\n    6             0             3           1          0             2           0          0          1         7\n    7             0             0           0          0             0           0          0          0         0\n    8             0             0           0          0             0           0          0          0         0\n    9             0             0           0          0             0           0          0          0         0\n   10             0             0           0          0             0           0          0          0         0\n   11             0             0           0          0             0           0          0          0         0\n   12             0             0           0          0             0           0          0          0         0\n   13             0             0           0          0             0           0          0          0         0\n   14             0             0           0          0             0           0          0          0         0\n   15             0             1           1          3             2           1          1          2        11\n   16             0             1           1          3             2           1          1          2        11\n   17             1             0           3          4             3           1          0          0        12\n   18             0             0           0          0             2           0          1          0         3\n   19             0             0           0          0             2           0          1          0         3\n   20             0             2           1          0             2           1          0          0         6\n   21             0             2           1          0             2           1          0          0         6\n  Total           3            11          17         16            22           8          4         13        94\n\n         Note: Impact levels for Federal Information Security Management Act of 2002 (FISMA)\n         control areas were derived by PricewaterhouseCoopers by taking the highest value from among\n         the subcategories.\n\x0cAPPENDIX C: PERCENTAGE CHANGE IN GAPS PER MEDICARE CONTRACTOR\n\nContractor             FY 2008 GAPS                  FY 2009 GAPS             % Change\n       1                      4                           15                   275%\n       2                    N/A                           15                     N/A\n       3                      4                            0                    (100)\n       4                      3                            0                    (100)\n       5                      6                            5                     (17)\n       6                      1                            7                     600\n       7                      0                            0                       0\n       8                      1                            0                    (100)\n       9                      0                            0                       0\n      10                    N/A                            0                     N/A\n      11                      0                            0                       0\n      12                      6                            0                    (100)\n      13                      5                            0                    (100)\n      14                     6                             0                    (100)\n      15                     20                           11                     (45)\n      16                     20                           11                     (45)\n      17                      6                           12                     100\n      18                      4                            3                     (25)\n      19                      3                            3                       0\n      20                      7                            6                     (14)\n      21                      8                            6                     (25)\nContractors No\n  Longer in\n   Program                    57                            -                      -\n     Total                   161                           94                   (42%)\n\nNote: Contractors listed as \xe2\x80\x9cN/A\xe2\x80\x9d were new Medicare Administrative Contractors in FY 2009.\n\n\nFY = fiscal year\n\x0c        APPENDIX D: MEDICARE CONTRACTOR CHANGE IN TOTAL GAPS\n       BY FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n                            CONTROL AREA\n\n\n          60\n          50\n          40\nGaps\n\n\n\n\n                                                          FY2008\n          30\n                                                          FY2009\n          20\n          10\n           0\n\n\n\n\n                       FISMA Control Area\n\x0c                                                                                      Page 1 of 5\n\n     APPENDIX E: RESULTS OF MEDICARE CONTRACTOR EVALUATIONS\n     FOR FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n         CONTROL AREAS WITH THE GREATEST NUMBER OF GAPS\n\nThe \xe2\x80\x9cimpact level\xe2\x80\x9d shown in Tables 1 through 4 on the following pages refers to the level of\nadverse impact that could result from successful exploitation of a vulnerability in any of the\nFISMA control areas. Impact can be described as high, medium, or low in light of the\norganization\xe2\x80\x99s mission and criticality and the sensitivity of the systems and data involved.\nPricewaterhouseCoopers assigned a rating of high or medium impact to each of the subcategories\nin the agreed-upon procedures developed by the Centers for Medicare & Medicaid Services\n(CMS). It is important to note that the impact levels were assigned to subcategories of the\nFISMA control areas, not the individual gaps identified within the control areas or subcategories.\nIndividual gaps were assigned an overall risk level on a subjective basis by\nPricewaterhouseCoopers after taking into consideration the impact and likelihood of occurrence.\n\x0c                                                                                         Page 2 of 5\n\nTESTING OF INFORMATION SECURITY CONTROLS\n\nThe Medicare contractor information security program evaluations covered five subcategories\nrelated to the testing of information security controls. The evaluation reports identified a total of\n22 gaps in this FISMA control area.\n\n                    Table 1: Testing of Information Security Controls Gaps\n                                                        Total No. of Gaps           Subcategory\n                        Subcategory                       in This Area              Impact Level\n     Management reports exist for the review and\n     testing of information security policies and\n     procedures, including network risk assessments,\n1                                                               4                        High\n     accreditations and certifications, internal and\n     external audits, security reviews, and penetration\n     and vulnerability assessments.\n     Annual reviews and audits are conducted to\n     ensure compliance with FISMA guidance from\n     the Office of Management and Budget for\n2    reviews of security controls, including logical            9                        High\n     and physical security controls, platform\n     configuration standards, and patch management\n     controls.\n     Remedial action is being taken for issues noted in\n3                                                               3                        High\n     audits.\n4    Change control procedures exist.                           2                        High\n     Change control procedures are tested by\n5                                                               4                        High\n     management to ensure they are in use.\n       Total                                                   22\n\x0c                                                                                       Page 3 of 5\n\nSECURITY PROGRAM AND SYSTEM SECURITY PLANS\n\nThe Medicare contractor information security program evaluations assessed 10 subcategories\nrelated to security program and system security plans. The evaluation reports identified a total of\n17 gaps in this FISMA control area.\n\n                 Table 2: Security Program and System Security Plan Gaps\n                                                       Total No. of\n                                                       Gaps in This  Subcategory Impact\n                        Subcategory                       Area             Level\n 1   A security plan is documented and approved.            1               High\n     A security management structure has been\n 2                                                          2               High\n     established.\n     Information security responsibilities are clearly\n 3                                                          0               High\n     assigned.\n 4   Owners and users are aware of security policies.       0               High\n     Hiring, transfer, termination, and performance\n 5                                                          0               High\n     policies address security.\n     Management has documented that it periodically\n     assesses the appropriateness of security policies\n 6                                                          2               High\n     and compliance with them, including testing of\n     security policies and procedures.\n     Management ensures that corrective actions are\n 7                                                          3               High\n     effectively implemented.\n 8   The plan is kept current.                              1             Medium\n 9   Employee background checks are performed.              4             Medium\n     Security employees have adequate security\n10                                                          4             Medium\n     training and expertise.\n       Total                                               17\n\x0c                                                                                         Page 4 of 5\n\nSECURITY AWARENESS TRAINING\n\nThe Medicare contractor information security program evaluations assessed six subcategories\nrelated to security awareness training. The evaluation reports identified a total of 16 gaps in this\nFISMA control area.\n\n                          Table 3: Security Awareness Training Gaps\n                                                        Total No. of Gaps         Subcategory\n                      Subcategory                         in This Area            Impact Level\n    Employees have received a copy of the Rules\n1                                                                5                   Medium\n    of Behavior.\n    Employee training and professional\n2   development have been documented and                         5                   Medium\n    formally monitored.\n    Mandatory annual refresher training for\n3                                                                5                   Medium\n    security occurs routinely.\n    Systemic methods are employed to make\n4   employees aware of security (e.g., posters,                  0                   Medium\n    booklets).\n    Employees have received a copy of or have\n5   easy access to agency security procedures and                0                   Medium\n    policies.\n    Security professionals have received specific\n    training for their job responsibilities and the\n6   type and frequency of application-specific                   1                   Medium\n    training provided to employees and contractor\n    personnel is documented and tracked.\n      Total                                                      16\n\x0c                                                                                        Page 5 of 5\n\nCONTINUITY OF OPERATIONS PLANNING\n\nThe Medicare contractor information security program evaluations assessed 13 subcategories\nrelated to continuity of operations planning. The evaluation reports identified a total of 13 gaps\nin this FISMA control area.\n\n                       Table 4: Continuity of Operations Planning Gaps\n                                                      Total No. of\n                                                      Gaps in This   Subcategory Impact\n                       Subcategory                        Area             Level\n     Emergency processing priorities have been\n1                                                           0               High\n     established.\n     Adequate environmental controls have been\n2                                                           0               High\n     implemented.\n     Hardware maintenance, problem management,\n3    and change management procedures exist to              0               High\n     help prevent unexpected interruptions.\n     Policies and procedures for disposal of data and\n4    equipment exist and include applicable Federal         2               High\n     security and privacy requirements.\n5    An up-to-date contingency plan is documented.              0                   High\n\n6    The plan is periodically tested.                           0                   High\n     Results are analyzed and contingency plans\n7                                                               1                   High\n     adjusted accordingly.\n     Physical security controls exist to protect\n8                                                               0                   High\n     information technology resources.\n     Critical data and operations are formally\n9                                                               2                  Medium\n     identified and prioritized.\n     Resources supporting critical operations are\n10                                                              2                  Medium\n     identified in contingency plans.\n     Data and program backup procedures have been\n11                                                              4                  Medium\n     implemented.\n     Staff has been trained to respond to\n12                                                              2                  Medium\n     emergencies.\n     Arrangements have been made for alternate data\n13                                                              0                  Medium\n     processing and telecommunications facilities.\n      Total                                                    13\n\x0c  APPENDIX F: LIST OF GAPS BY NATIONAL INSTITUTE OF STANDARDS AND\n       TECHNOLOGY SECURITY CONTROL AREA AND DATA CENTER\n\n                                               Data Center\n  NIST Security\n                                                                               Total Gaps\n  Control Area          1       2       3       4        5        6      7\n    Configuration\n    Management         N/A    N/A       26     N/A      N/A     N/A      2         28\n   Access Control      N/A    N/A       12     N/A      N/A     N/A      4         16\n\n  Media Protection      0       0       1       6        0        0      0          7\n     System and\n      Services\n     Acquisition        1       0       2       0        0        0      3          6\n    Certification,\n  Accreditation, and\n      Security\n     Assessment         2       0       0       0        0        0      0          2\n    Contingency\n      Planning         N/A    N/A      N/A     N/A      N/A     N/A      2          2\n\n  Incident Response     0       0       2       0        0        0      0          2\n\n    Maintenance         1       0       1       0        0        0      0          2\n   Awareness and\n     Training           0       0       0       0        0        0      1          1\n     Audit and\n   Accountability      N/A    N/A      N/A     N/A      N/A     N/A      1          1\n\n        Total           4       0       44      6        0        0      13        67\n\nNIST = National Institute of Standards and Technology\n\nN/A = NIST Security Control Area was not tested at the Data Center\n\nNote: iFed did not report any gaps in the NIST security control areas of planning and system and\ninformation integrity for the enterprise data center in which those areas were tested.\n\x0cAPPENDIX G: CENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS \n\n\n\n       /\'-\'\'\xc2\xa3<0 ..,\n   (         ~          DEPARTMENT OF HEALTH & HUMAN SERVICES\n   ,~\n                                                                                                 Administrator\n                                                                                                 wasrong:on. DC 20201\n\n\n\n\n                      DATE:\n                                      AUG 0 4 WI\n\n                      TO: \t         Daniel R. Levinson\n                                    Inspector General\n\n                      FROM:         Donald M. Berwick, M.D\'.. :::::::::s~~?}\'~""""r\n                                    Admi nistrator            ...:-\xc2\xad\n\n                      SURJECT: \t Office oflnspector General (OIG) Draft Report. Review of Medicare Contractor\n                                    Information Security Program Evaluations for Fiscal Year 2009 (A-IB-IO-30300)\n\n\n                      The Centers for Medicare & Medicaid Services (eMS) appreciates the opportunity to review and\n                      comment on !he 010 draft report titled. " Review of Medicare Contractor Information Security\n                      Program Evaluations for Fiscal Year 2009" (A-18-! 0-]0300). We appreciate the CIG\' s efforts\n                      to assess the scope and sufficiency of Med icare contractor information security program\n                      evaluations and data center technical assessmcnls.\n\n                      OIG RECOMMENDATION:\n\n                      The OIG recommencb th at eMS review all contractor documentation related to future data\n                      center technical assessments and ensure that the won. perfonned complies with eMS contractual\n                      requirements, At a minimum. this should include a review of test plans to ensure that the\n                      contractor has completed al1 required testing procedures and a review of contractor working\n                      papen; to verify that reported gaps have been adequately supported, identified, and included in\n                      the technical assessment reports.\n\n                      eMS RESPONSE:\n\n                      We concur with this recommcndation. We will ensure that future work related to data center\n                      techn ical assessments complies with eMS contractual requirements, as wen as OIG\n                      requirements. Starting in fiscal year 2010, we expanded the scope of the contract for the existing\n                      oversight contractor responsihle for perfonning the 912 evaluations to include these additional\n                      elements.\n\n                      We thank the OIG for their thoughtful recommendation and we appreciate the OIO\'s\n                      constructive input. Additionally, we look forward to won.ing in conjunction with 010 to\n                      facilitate continual improvement in administering the Medicare program.\n\x0c'